Security system

ABSTRACT

The present invention relates to a programmable safety system intended to be used for safety functions, in which a fault in a control circuit does not lead to a safety function being disabled, which system comprises monitoring functions containing at least two control units, input terminals separately coupled to both control units, whereby each control unit executes its own instruction set and continuously compares a result from the execution with each other. At least one control unit can access the in and output terminal status of a second control unit and/or a number of flags, and the control units are arranged to monitor the result of respectively executed instruction sets and control that the results of the executions are substantially equivalent.

TECHNICAL FIELD OF THE INVENTION

[0001] The object of the system is to enable safety functions inmachinery, which i.a. comply with the requirement of the MachineryDirective 98/37/EG Appendix 1, 1.2.7—“A fault in the logic of thecontrol circuit as well as damage to the control circuit must not leadto dangerous situations”. The system shall also comply with harmonizedstandard EN 954-1, category 4.

BACKGROUND OF THE INVENTION

[0002] The requirement for category 4 is found under section 6.2.5 inthe EM 954-1 regulations. The main requirement is:

[0003] Safety related components in the control system of category 4shall be constructed so that:

[0004] an individual fault in any of these safety related componentsdoes not lead to loss of the safety function, and

[0005] the individual fault is detected at or before the next time thesafety function is demanded, e.g. immediately, at start, at the end of awork cycle.

[0006] If this is not possible, accumulation of faults shall not lead toloss of the safety function. Category 4 implies that a random(stochastic) fault in the system should not lead to a safety functionbeing left out, and the fault should be detected within one on-/offcycle for the safety function.

[0007] If the system can determine that a fault corresponds to aparticular safety function, e.g. an input or output, the output isdisconnected for the actual safety function. Remaining outputs, whichare not affected by the fault, continue to function.

[0008] European patent application EP 748 762 relates to a safety systemfor flow control, in which two processors are arranged which control theflow. Each processor runs its own programme, in the form of different“firmweare”, and controls its own relay. If one of the relays is notcontrolled in the correct way, the processor linked to that relay ceasesits control.

BRIEF DESCRIPTION OF THE INVENTION

[0009] For obtaining the objectives stated above, the invention providesa programmable safety system intended to be used for safety functions inwhich a fault in one control circuit does not lead to non-occurrence ofa safety function, which system comprises monitoring functionscontaining at least two control units, input terminals separatelycoupled to both the control units, whereby each control unit executesits own instruction set, and continuously compares a result from theexecution with each other. At least one control unit can access theinput and output terminal status of a second control unit and/or anumber of flags and the control units are arranged to monitor the resultof each executed instruction set and to control that the results of theexecutions are substantially the same.

[0010] Thus, the system according to the invention complies with therequirements of category 4 according to harmonized standard EN 954-1 orthe requirement of the Machinery Directive 98/37/EG appendix 1, 1.2.7.

[0011] Preferably, the input terminals are continuously read with acertain frequency, and a filter time is assumed such that a decision ismade based on the majority of the three latest readings, i.e. tworeadings after a change. Some of the input terminals have pull up orpull down resistors which are soft ware-controlled, so as to selectivelybe able to receive NPN- or PNP sensors.

[0012] Moreover, the system comprises a charging generator where theoutput voltage is generated by a capacitor which is continuously chargedand discharged by transistors.

[0013] The transistors are each controlled by a respective control unitand conduct alternately so that the capacitor is firstly charged bymeans of the first transistor opening to plus; thereafter a dischargeoccurs by means of the first transistor closing and the secondtransistor opens to zero volts. The charging generator demands that thecontrol units are active, which implies immediate interruption of thepower supply to the output terminal if a control unit ceases to executeinstructions in a correct way. To obtain a more even output voltage, twocharging generators are coupled in parallel with each other.

[0014] In a most preferred embodiment each control unit controls its ownrelay via separate transistors and both the transistors are made ofdifferent technology. Moreover, the relays have forced contacts,monitored by the control units. Hence, a switching contact is coupledback to the control unit in each forced relay for controlling that ithas fallen, and, if the control unit only receives an answer from one ofthe two relays duplicating each other, the unit tries to activate andfell the malfunctioning relay again.

[0015] Preferably, the fall time is monitored at the output terminal,which can also be used for detecting an external short circuit toanother foreign voltage. When the control detects a short circuit to aforeign voltage, the output terminal is prevented from resuming, and afault is indicated. The output terminals are dynamic, which operateinput terminals to generate a unique pulse train, which implies thatshort circuits between channels coupled to different dynamic outputterminals can be detected.

[0016] Every control unit in a network is identified by means of anidentity carrier and the identifier is an externally mounted circuitwhich stores a unique number and constitutes a part of the electricinstallation/the location where the unit is physically mounted. Thus, aunit is arranged to read the number of the identifier and therebydetermine its own identity. Thus, the correct identity is maintained incase of change of a unit.

[0017] Preferably, the units are coupled together via a data bus andhave access to the input-, output status and/or a number of flags of oneanother's. When a unit losses contact with the bus communication, otherunits consider its I/O as logic zeroes. The bus is preferably a CAN bus.

[0018] Moreover, the system is connected to light barriers, of which thetransmitters are operated by one dynamic output terminal each, that thereceivers are coupled to one input terminal each, that the inputterminals are provided with output transistors via which cablesreturning from the receiver to the input terminal have voltage appliedthereto, whereby the system performs a test sequence with assistancetherefrom which can distinguish a short circuit between the outputterminal cables of the receivers from lighting.

[0019] The invention also relates to a method in a programmable safetysystem intended to be used for safety functions, in which a fault in acontrol circuit does not lead to failure of a safety function whichsystem comprises monitored functions consisting of at least two controlunits, input terminals separately coupled to both the control units,whereby each control unit executes its own instruction set andcontinuously compares a result from the execution with one another. Themethod comprises making accessible at least one input- and/or outputterminal status of a control unit and/or a number of flags to anothercontrol unit and arranging the control units for monitoring the resultof one instruction set each and to control that the results of theexecutions are substantially equivalent. Said result of the executionsis provided in the form of status for input- and/or output terminalsand/or a number of flags.

BRIEF DESCRIPTION OF THE DRAWINGS

[0020] In the following, the invention will be further described in anon-limiting way with reference to the accompanying drawings in which:

[0021]FIG. 1 schematically shows an embodiment of a system according tothe invention,

[0022]FIG. 2 schematically shows a so-called “charging pump” in thesystem according to the invention,

[0023]FIG. 3 schematically shows a part of the system according to theinvention,

[0024]FIG. 4 schematically shows different types of output terminals inthe system according to the invention,

[0025]FIG. 5 schematically shows input terminals in the system accordingto the invention,

[0026]FIG. 6 schematically shows different connection strips, in thesystem according to the invention,

[0027]FIG. 7 schematically shows a part of the system according to theinvention, and

[0028]FIGS. 8 and 9 schematically show different types of outputterminals.

DETAILED DESCRIPTION OF THE INVENTION

[0029]FIG. 1 schematically shows the system according to the invention.The various components in the system according to the invention aredescribed in the following.

[0030] Input Terminals

[0031] All input terminals are redundant. A single input terminalprovides stop according to category 4, EN 954-1.

[0032] The input terminals are continuously read by a certain frequency.The filter time is constituted by a decision being made based on themajority of the three latest readings, i.e. two readings after a change.There is a possibility to decrease or increase the filter time.

[0033] Some of the inputs have software-controlled pull-up or pull-downresistors in order to be able to selectively receive NPN- orPNP-sensors.

[0034] Charging Pump

[0035] “The charging pump”, schematically shown in FIG. 2, is aconstruction in which the output voltage is generated by a capacitorwhich is continuously charged and discharged by two transistors. The twotransistors, which are controlled by one processor each, alternatelyconduct so that the capacitor is firstly charged by means of the firsttransistor opening to plus. Thereafter, discharge occurs by means of thefirst transistor closing and the second transistor opening to zerovolts. During the discharge phase, the capacitor “sucks” current fromthe output terminal, and thereby the negative voltage on the outputterminal occurs.

[0036] Due to the fact that the charging pump demands that theprocessors are active, the charging pump operates as a so-called“watchdog”, which effectively immediately interrupts the energy supplyto the output terminal if a processor stops executing the programme inthe correct way.

[0037] For obtaining a more regular output voltage, two charging pumpscan be coupled in parallel with each other. These two charging pumpswork alternately, which implies that when the capacitor in one of thecharging pumps is charged, the capacitor in the second charging pump isdischarged. This construction is defined as a double charging pump.

[0038] Relay Output Terminals

[0039] Each processor controls one relay each via separate transistors.For obtaining diversity, the both transistors are made of differenttechnology. The relays have forced contacts and are monitored by theprocessors.

[0040] The software supervises the fall time of the relays.

[0041] For additional safety, the voltage is generated to the relaywindings of a charging pump. In this manner, the processors have afurther possibility to fell the relays, in addition to both thetransistors controlling the relays directly.

[0042] A switching contact in each forced relay is coupled back to theprocessor for monitoring whether it has fallen. If the processor onlyreceives a response from one of the two relays which duplicate eachother, the processor tries to conduct and fell the malfunctioning relayagain. Temporary faults in the controlling circuit on account of oxideon the contacts or the like do not necessarily imply generation of analarm and stoppage.

[0043] Charging Pump Outlet Terminals

[0044] Each output terminal is operated by a double charging pump. Sincethe construction has diodes working as freewheel diodes and provide anextended fall time in case of inductive loads to the output terminal,the output terminal is complemented with an additional transistor inseries with the output terminal. The transistor is monitored by an inputterminal to one of the microprocessors. The transistor is controlled bythe other processor.

[0045] The input terminal to the processor controlling the fall time canalso be used for detecting an external short circuit to another foreignvoltage.

[0046] Fall Time Supervision for Charging Pump Output Terminals

[0047] In the application program, the fall time supervision for any ofthe charging pump output terminals can be chosen. When the fall timesupervision for an output terminal is released, the output terminal isprevented from returning and the fault is indicated.

[0048] Actuating the resetting button can reset the fault.

[0049] Short Circuit to a Foreign Voltage, Charging Pump Output Terminal

[0050] When the supervision detects short-circuit to a foreign voltage,the output terminal is prevented from returning and the fault isindicated.

[0051] Actuating a resetting button can reset the fault.

[0052] Transistor Output Terminals No Safety

[0053] The output terminals are intended for indication and as dynamicoutput terminals. Dynamic output terminals are output terminalsoperating input terminals. The three first output terminals IQ10-IQ12can be used as dynamic output terminals. The dynamic output terminalsyield a unique pulse train making it possible to detect short circuitsbetween channels coupled to different dynamic output terminals.

[0054] Two of the output terminals are monitored for current forcomplying with the requirement of supervision of indicator lamps forbypassing according to EN 61 496-1.

[0055] Identifiers

[0056] For identifying each unit in a network there is an identitycarrier which is connected to a particular connecting strip. Theidentifier is an externally mounted circuit storing a unique number andconstitutes a part of the electric installation/the location where theunit is physically mounted. A unit can read the number of the identifierand thereby determine its own identity. In case of change of a unit, thecorrect identity is maintained. The identity of every unit is importantin a network coupling for being able to number the I/O in the system.When for instance an input terminal is used as a condition in theapplication programme, the denomination denotes both in which unit thereis an input terminal as well as the input terminal number of the inputterminal within the unit.

[0057] The system also prevents mixing-up units with differentprogrammes by means of the user programme being able to be locked toonly work together with the correct identifier.

[0058] CAN Bus External Communication

[0059] The units coupled to the bus obtain access to each other's inputterminal status and output terminal status a number of flags. When aunit losses contact with the bus communication, the other units considerthe I/O as logical zeroes.

[0060] Excess Light on Light Barriers

[0061] The system can also cope with light barriers, where there aretraditionally problems with interference from transmitters of otherlight barriers. The transmitters of the light barriers are operated byone dynamic output terminal each. The receivers are coupled to oneoutput terminal each. Due to the fact that the input terminals areprovided with output terminal transistors, it is possible to applyreturn voltage to the cable from the receiver to the input. The systemcan, with assistance from this, perform a test sequence, which candistinguish short-circuiting between the output cables of the receiversfrom excess lighting. Excess lighting is defined as a transmitter of alight barrier system illuminating two receivers simultaneously.

[0062] Transmission of programmes between the target system (safetysystem) and the programme developing system occurs wirelessly via anopto link.

[0063] The Handling of Input Terminals and Output Terminals

[0064] The solution is based on a so called two processor solution,where both the processors should arrive at the same result whenexecuting the application programme as well as having “the same opinion”regarding its input- and output terminal status. All the processorscommunicate with each other via the Can bus, also the sister processorsbetween themselves. Hereinafter, the processor and the sister processorare called the processor A and the processor B, respectively.

[0065] Data for input and output terminals is stored in a RAM memory.The part of the RAM memory in a processor handling the I/O is dividedinto two parts; one part for the input terminal status and one part forthe output terminal status.

[0066] The Handling of Input Terminals/Input Terminal Status

[0067] The input terminals are called I0.0 . . . and so on upwards. Thefirst unit in a network handles the input terminals I0.0-I0.17, thesecond unit I1.10-I1.17, the third unit I2.0-I2.17 and so on.

[0068] The RAM is divided into three parts for the input terminals:

[0069] IA000. . .—data acquired by the A-processors,

[0070] IB000. . .—data acquired by the B-processors and

[0071] one for process data I000. . .

[0072] Process data is data used by the application programme. Thedivision of the RAM is performed so that the address for the first inputterminal in the three parts, respectively, is not an even multiple of 2.Thus, more than one bit alteration in the address word is required forpointing out IA000 instead of IB000.

[0073] The working procedure for e.g. the processor A in the first unitis the following:

[0074] The processor reads the input terminals in the unit I0.0-I0.17 ofits own, and places the results in the memory addresses IA000-IA017, aswell as sending it on the bus to remaining processors. The processorcontinuously reads the input status of other processors from the bus,and places the data on the remaining part of IA. . . and EB. . . Amongthe data comes data from the sister processor B, which is placed inIB000-IB017. Thereafter the memory areas IA. . . and IB. . . arecompared, and if the content is similar, the content is copied to thememory area for the process data I000. . . Discovered dissimilarities inthe comparison lead to an alarm as well as the processor felling its ownsafety output terminals. However, short duration dissimilarities areaccepted, since it will occur on account of hard ware-likedissimilarities in the hardware of the both channels.

[0075] The Handling of Output Terminals/Output Terminal Status

[0076] The output terminal status is handled in the same way as theinput terminal status, the difference being that it is not the hardwarewhich gives the change of status, but is instead the applicationprogramme which has made the decision that a certain output terminal isgoing high or low. The application programme is the part of the softwarewritten by the user.

[0077] In a corresponding way as for the input terminal status, thereare memory areas QA000. . . , QB000 . . . , and Q000 for process data. ..The difference in computer processing is that each unit's process datais updated by the application programme of each processor, respectively.Thereafter the process data is copied to its location in QA. . ./QB. . .for comparison as well as being sent out on the bus.

[0078] The invention is a programmable safety system intended to be usedfor safety functions, where it is not accepted that a fault in thecontrol circuit leads to the safety function not being activated. Toachieve this, the functions are therefore doubled and monitored. Incomparison to a conventional PLC-system, consequently, the invention hastwo microprocessors. Every input terminal is separately coupled to boththe processors, both having a memory of its own, executes one programmeeach and continuously compares the result with each another. Everysafety output terminal is coupled to both the processors, and cantherefore not work until these are in agreement that the conditions arefulfilled.

[0079] The invention is primarily constructed to comply with therequirement of the machinery directive for safety in control systems,and the requirements for category 4 according to harmonized standard EN954-1. However, this does not prevent use within other areas such asprocessing industry, boiler plants etc, where the corresponding safetyrequirements are demanded.

[0080] The invention is accommodated in a wide enclosure, which has beenfixedly snapped on a DIN-bar in a control panel or another enclosure.External conductors are connected on a screw connection block. Forfacilitating the work and preventing incorrect coupling in case ofexchange of a unit, the connecting strips are detachable.

[0081] Electrical Connection

[0082] The system, schematically shown in FIG. 3, can be fed with 24 VDC. The connection of the system for 0 V should be connected toprotective ground, on one hand for electrical safety reasons, and on theother hand for detecting each faults which may otherwise disable thesafety function (see EN 60 204-1, 9.1.4.).

[0083] Inputs and Outputs

[0084] To be as comprehensive as possible, the invention is providedwith a varying offer of types of input- and output terminals,schematically shown in FIG. 4.

[0085] I0-I7 Digital Safety Input Terminals

[0086] Each input terminal, schematically shown in FIG. 5, is connectedto both processors, which permits coupling of safety functions of onechannel as well as of two channels. The input terminals can be operatedby e.g. +24 V or any of the dynamic output terminals IQ10-12.

[0087] IQ10-17 Digital Safety Input Terminals, Digital Output Terminals(Not Safety)

[0088] This category of 8 connecting strips, schematically shown in FIG.6, contains 4 functions. Each connecting strip is connected to bothprocessors as an input terminal and can thereby be used as a safetyinput terminal.

[0089] Each connecting strip also has an output transistor, whichimplies that the user can choose to configure the strips as outputterminals, though not as safety output terminals. The output terminalsare intended for functions, which do not require redundancy, e.g.indicator lights, schematically shown in FIG. 7.

[0090] IQ10-IQ12 can be configured as dynamic output terminals used foroperating input terminals. Once an input terminal is configured as such,a unique pulse train is generated. Due to the fact that the inputterminal is configured to only accept this pulse train as an inputcondition, the system can detect external short circuits. See furtherdescription.

[0091] IQ16-IQ17 can monitor the output current when the connectingstrips are used as output terminals. The function is primarily intendedfor supervision of by-pass lamps (muting lamp) according to EN 61 496-1.In certain cases, it is appropriate to indicate that a safetyarrangement is bypassed. By controlling that a current flows it ispossible to supervise that the filament of the lamp is unbroken.

[0092] Q0-Q1 Safety Output Terminals Relay

[0093] Potential free relay output terminals, where every outputterminal is separately redundant by doubling two relay contacts inseries, controlled by each processor. Irrespective of the risk forexternal short circuits in e.g. cabling, one single output terminal canbe used for controlling a safety function.

[0094] In addition to the relays being controlled by separatetransistors, the voltage is generated to the relay windings by acharging pump. (For the function of the charging pump, see followingdescription for transistor output terminals.)

[0095] Q2-Q3 Safety Output Terminals Transistor

[0096] Digital safety output terminals, where every output terminal isseparately redundant, and thereby can alone control a safety function,see FIGS. 8 and 9. The output voltage is nominally approx. −24 V.

[0097] The negative output voltage is due to the fact that the principleof the charging pump is applied. The charging pump is a constructionwhere the output voltage is generated by a capacitor which iscontinuously charged and discharged by two transistors. The twotransistors alternately conduct so that the capacitor is firstly chargedby means of one of the transistors opening to plus, which thereaftercloses, and the second transistor opens to zero volt and is discharged.During the discharge phase, the capacitor “sucks” current from theoutput terminal, and the negative voltage on the output thereby occurs.Due to the fact that the construction requires all the components towork and continuously alternate the state in the correct phase, a faultin any of the involved components causes the generation of the outputvoltage to immediately stop.

[0098] An advantage of having negative voltage on the output terminalfor a user, is that this is not normally the voltage used in existingelectric systems. Therefore the invention can discover external shortcircuits between the output terminal and foreign voltages, since thevoltage level of the output terminal is monitored.

[0099] Bus Communication

[0100] Several units, according to the invention, can be coupledtogether with a CAN bus in a network. The coupling is made by means ofconnecting the connecting strips CH and CL of each unit, respectively,via intertwined dual cabling. As soon as the coupling is performed, theunits are able to read each other's I/O.

[0101] In case of network coupling, the principle is that each unitexecutes its own programme and thereby lives an independent life.Interruption on the bus leads to the I/O in a unit to which contact islost, being considered as put to 0 by the other units, though theprogramme execution proceeds. Thus, it is the programme of the userwhich determines the consequence of an interruption. For instance, if aninput terminal put to 1 in another unit constitutes conditions fordrawing an output terminal, the output terminal will fall, while anotheroutput terminal which only has its own I/O as conditions, will not beaffected by the interruption.

[0102] The development of user programmes is performed by a PC computer.The communication between the PC and the PLC system occurs wirelesslyvia IR port. In addition to down- and up loadings of programmes there isa monitor function, whereby the PC computer can read the actual statusfor the input terminals, output terminals and the auxiliary memories.

[0103] The number of units, components, signals, signal levels, etcaccording to the preceding description are given as examples, and can bevaried with consideration to application, requirements, etc.

1. A programmable safety system intended to be used for safetyfunctions, in which a fault in a control circuit does not lead to asafety function being disabled which system comprises monitoringfunctions containing at least two control units, inputs separatelycoupled to both the control units, whereby each control unit executesits own instruction set and continuously compares a result from theexecution with each other, characterized in that at least one controlunit can access the status of the input and output terminal of a secondcontrol unit and/or a number of flags and that the control units arearranged to monitor the result of respectively executed instruction setsand to control that the results of the executions are substantiallyequivalent.
 2. A system as claimed in claim 1, characterized in that itcomplies with the requirement of category 4 according to the harmonizedstandard EN 954-1.
 3. A system as claimed in claim 1, characterized inthat it complies with the requirement of the machinery directive98/37/EG Appendix 1, 1.2.7.
 4. A system as claimed in claim 1,characterized in that the input terminals are continuously read at acertain frequency.
 5. A system as claimed in claim 4, characterized inthat a filter time is based on a decision being made based on themajority of the three latest readings, i.e. two readings after a change.6. A system as claimed in claim 4 or 5, characterized in that some ofthe input terminals have pull-up or pull-down resistors, which aresoftware controlled, for selectively receiving NPN- or PNP sensors.
 7. Asystem as claimed in claim 1-6, characterized in that the systemcomprises a charging generator, where the output voltage is generated bya capacitor which is continuously charged and discharged by transistors.8. A system as claimed in claim 7, characterized in that the transistorswhich are each controlled by a respective control unit alternatelyconduct so that the capacitor is firstly charged by means of the firsttransistor opening to plus, thereafter discharge occurs by means of thefirst transistors closing and the second transistor opening to zerovolt.
 9. A system as claimed in claim 8, characterized in that thecharging generator requires that the control units are active, whichleads to an immediate interruption of the energy supply to the outputterminal if a control unit ceases to executing instructions in a correctway.
 10. A system as claimed in claim 7, characterized in that a moreeven output voltage is obtained by means of two charging generatorsbeing coupled in parallel with each other.
 11. A system as claimed inclaim 1, characterized in that each control unit controls a respectiverelay via separate transistors.
 12. A system as claimed in claim 10,characterized in that the both transistors are made of differenttechnology.
 13. A system as claimed in claim 10, characterized in thatthe relays have forced contacts, monitored by the control units.
 14. Asystem as claimed in claim 12, characterized in that a switching contactin every forced relay is coupled back to the control unit forcontrolling that it has fallen, and if the control unit only receives ananswer from one of two relays doubling each other, the unit tries toconduct and fell the missing relay again.
 15. A system as claimed inclaim 1, characterized in that the fall time is monitored at the outputterminal, which fall time also can be used for detecting external shortcircuit to another foreign voltage.
 16. A system as claimed in claim 15,characterized in that when the supervision detects short circuit to aforeign voltage, the output terminal is prevented from returning and afault is indicated.
 17. A system as claimed in claim 1, characterized inthat the output terminals are dynamic, which operate input terminalsgenerating a unique pulse train, which implies that short circuitsbetween channels coupled to different output terminals can be detected.18. A system as claimed in claim 1, characterized in that each unit in anetwork is identified by means of an identity carrier.
 19. A system asclaimed in claim 18, characterized in that the identifier is anexternally mounted circuit which stores a unique number and constitutesa part of the electric installation location where the unit isphysically mounted.
 20. A system as claimed in claim 19, characterizedin that a unit is arranged to read the number of the identifier, andthereby determine its own identity.
 21. A system as claimed in claim 18,characterized in that the correct identity is maintained in case ofchange of a unit.
 22. A system as claimed in claim 1, characterized inthat the units are coupled together via a data buss and have access toeach other's input and output terminal status and/or a number of flags.23. A system as claimed in claim 22, characterized in that when a unitloses contact with the bus communication, the other units consider itsI/O as logical zeroes.
 24. A system as claimed in claim 22,characterized in that the bus is a CAN bus.
 25. A system as claimed inclaim 1, characterized in that the system is connected to lightbarriers, the transmitters of which are operated by one dynamic outputterminal each, that the receivers are coupled to one output terminaleach, that the input terminals are provided with output transistors viawhich return voltage is applied to cables from the receiver to the inputterminal, whereby the system thereby performs a test sequence which candistinguish short circuits between the output cables of the receiversfrom excess lighting.
 26. A method in a programmable safety systemintended to be used for safety functions, in which a fault in a controlcircuit does not lead to a safety function being disabled which systemcomprises monitored functions containing at least two control units,input terminals separately coupled to both control units, whereby eachcontrol unit executes its own instruction set and continuously comparesa result from the execution with each other, characterized in that atleast the in- and output terminal status of a second control unit and/ora number of flags are made available for a control unit, and that thecontrol units are arranged to supervise the result of each respectivelyexecuted instruction set and to control that the results of theexecutions are substantially equivalent
 27. A method as claimed in claim26, characterized in that the result of the executions is provided inthe form of status for the input terminals and/or output terminalsand/or a number of flags.